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HORIZONTAL ISOGENY GRAPHS OF ORDINARY ABELIAN 
VARIETIES AND THE DISCRETE LOGARITHM PROBLEM 

DIMITAR JETCHEV AND BENJAMIN WESOLOWSKI 


Abstract. Fix an ordinary abelian variety defined over a finite field. The 
ideal class group of its endomorphism ring acts freely on the set of isoge¬ 
nous varieties with same endomorphism ring, by complex multiplication. Any 
subgroup of the class group, and generating set thereof, induces an isogeny 
graph on the orbit of the variety for this subgroup. We compute (under the 
Generalized Riemann Hypothesis) some bounds on the norms of prime ideals 
generating it, such that the associated graph has good expansion properties. 

We use these graphs, together with a recent algorithm of Dudeanu, Jetchev 
and Robert for computing explicit isogenies in genus 2, to prove random self- 
reducibility of the discrete logarithm problem within the subclasses of princi¬ 
pally polarizable ordinary abelian surfaces with fixed endomorphism ring. In 
addition, we remove the heuristics in the complexity analysis of an algorithm of 
Galbraith for explicitly computing isogenies between two elliptic curves in the 
same isogeny class, and extend it to a more general setting including genus 2. 


1. Introduction 

1.1. Motivation. Let ^ be a hyperelliptic curve of genus g over defined over a 
finite field F 9 and let J! = Jac('if) be its Jacobian - a principally polarized abelian 
surface over F q . The discrete logarithm problem (or DLP) in genus g is the fol¬ 
lowing: given P £ and Q = rP £ ^(F q ) for some secret multiplier r, 

compute r. The problem for g = 1 is known as the elliptic curve discrete loga¬ 
rithm problem (or ECDLP); it is a central tool in public key cryptography, and has 
been extensively studied since its introduction in the 1980’s IMil861 lKob87j . The 
case of g = 2 has been shown to be a promising alternative, allowing very efficient 
arithmetic ( Gau07[ 1BCHL16] , but very little is known about the hardness of the 
corresponding version of the DLP. Apart from the question of the hardness of the 
problem on a particular Jacobian, one may ask how the difficulty of the problem 
compares on two distinct Jacobians. A natural way of transferring the problem from 
one Jacobian to another is via isogenies. It is thus of interest to study whether two 
Jacobians of genus 2 curves have the same difficulty of the problem, assuming that 
there exists an isogeny between them. Tate’s isogeny theorem |Tat66j implies that 
two abelian surfaces over a finite field are isogenous if and only if the characteristic 
polynomials of the Frobenius acting on their Aadic Tate modules are the same. The 
latter can be computed efficiently, so it is easy to determine if two Jacobians are 
isogenous. It is however not clear how to explicitly compute an isogeny between 
two such Jacobians, which is actually needed to transfer the discrete logarithm 
problem. 
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The case of ordinary elliptic curves has been treated by Jao, Miller and Venkate- 
san [.TMV051 I.TMV09] using random walks on isogeny graphs and rapid mixing 
arguments. A crucial ingredient in their analysis is that one can efficiently com¬ 
pute isogenies of small degrees, poly logarithmic in q. More precisely, one considers 
a graph with vertices the set of isomorphism classes of elliptic curves in the isogeny 
class that have a fixed endomorphism ring. These isomorphism classes correspond, 
by CM theory, to the ideal classes of that endomorphism ring. The edges of the 
graph correspond to horizontal isogenies, that is, a-transforms in the language of 
(ST61I . It turns out that it is connected for suitably chosen bounds on the ideal 
norms and, under GRH, it rapidly mixes random walks (i.e., behaves as an expander 
graph). Via random walks on this graph, one can show that it is possible to reduce 
the discrete logarithm problem from a given curve to the problem to a uniformly 
random curve in that class, thus obtaining random self-reducibility of the elliptic 
curve discrete logarithm problem within the class. 

The similar problem in genus 2 is much more challenging since, unlike elliptic 
curves, abelian surfaces are not a priori principally polarized, so a quotient of a 
Jacobian by a finite subgroup need not be the Jacobian of a curve. Even if it is, 
there might be multiple non-equivalent principal polarizations giving rise to non¬ 
isomorphic curved In addition, if one tries the straightforward analogy to I JMV05] 
of constructing isogeny graphs with vertices that are ideal classes in the class group 
of the endomorphism algebra (in this case, a quartic CM-field), one may get abelian 
surfaces that are not even principally polarizable and hence, unsuitable for trans¬ 
ferring the discrete logarithm problem in practice. Finally, even if the target is 
principally polarizable, for the purpose of proving random self-reducibility, one 
does not need just one principal polarization on the target, but all of them, or at 
least the capability to sample one uniformly at random. 

1.2. Main theorem. Jacobians of genus 2 hyperclliptic curves will be seen as a 
particular case of the following, more general situation. Let jz/ be an absolutely 
simple, ordinary abelian variety of dimension g over a finite field and let K = 
End(jV) ig> Q be the corresponding CM field. The endomorphism ring End(jV) is 
isomorphic to an order 0 of conductor f in K. The ideal class group 0(0) acts 
freely on the set of varieties isogenous to jV with same endomorphism ring 0, by 
complex multiplication. Let H C 0(0) be any subgroup and let H(g/) the if-orbit 
of jV. The choice of a set S of invertible ideals in 0 generating H induces a graph 
whose set of vertices is H (jz/) and whose edges are labelled with isogenies between 
these abelian varieties. The norms of the ideals in S are exactly the degrees of the 
induced isogenies. For any B > 0 and ideal m in 0, let Sb be the set of ideals in 
0 of prime norm and coprime to fm. Let 5 fg be the induced isogeny graph, where 
all the degrees are bounded by B. 

Theorem 1.1 (Rapid mixing for H (&/)). Assuming the Generalized Riemann Hy¬ 
pothesis, for any e > 0, there exists a bound 

B = 0 ((fl[Cl(0) : H] ln(d*V(fm))) 2+s ) , 


^An example of this phenomenon has been given by Howe [How96l . More precisely, Howe 
showed that the curves y 2 = x 5 + + x 2 — x — 1 and y 2 = x 5 — x 3 + x 2 — x — 1 over Fn are not 

isomorphic; yet, their Jacobians are absolutely simple and isomorphic as non-polarized abelian 
surfaces. 
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such that for any subset W of any random walk in Sf b of length at least 

ln(2|i?|/|VF| 1 / 2 ) starting from a given vertex will end in W with probability between 
|Wj/(2|.ffj) and 3|Wj/(2|.ffj). In particular, the regular graph &b is connected and 
rapidly mixes random walks. 

It is worth noticing that even the connectivity of the graph is new: the classical 
bounds for connectivity are derived from Bach’s bounds |Bac90| . which can only 
be applied when H is the full class group C1(0). We will prove Theorem 11.21 as 
a corollary of the following theorem. It constructs and proves that certain Cayley 
graphs for subgroups of more general ray class groups are expanders. 

Theorem 1.2. Let I\ be a number field of degree n and discriminant dK, m an 
integral ideal of Ok, G the narrow ray class group of K modulo m, and H a subgroup 
of G. For any ideal 1 of Ok coprime to m, let [1] denote its image in G. Let 

= {prime ideals 1 of Ok | ((, m) = 1 ,Nl< B is prime and [[] £ H}. 

Let TH.m(B) be the multiset of its image in G. Let &’b be the graph whose vertices 
are the elements of H and whose non-oriented edges are precisely ( h , sh) for any 
h £ H and s £ TH, m {B). Assuming the Generalized Riemann Hypothesis, for any 
character x of H, the corresponding eigenvalue X x of the Cayley graph ^b satisfies 

X x = (B) + O (nB 1 ' 2 ]n{Bd K Nm)) , 

where <5(y) is 1 if x is trivial, and 0 otherwise. The implied constants are absolute. 

Note that a similar result is proven in IJMV09j . where H is the full narrow 
ray class group, rather than a subgroup. It was sufficient to study isogeny graphs 
of elliptic curves, which can be represented as Cayley graphs of class groups in 
imaginary quadratic fields. However, it is not strong enough for higher genus, 
where one needs to work on subgroups of class group of CM-fields, due to the extra 
condition of principal polarizability. Since properties of expander graphs do not 
transfer nicely to subgraphs in general, the refinement provided by Theorem [L2] is 
crucial. 

1.3. Applications of Theorem 11.11 Using the CM theory for polarized class 
groups, we will apply Tlieorem ll.ll to analyse isogeny graphs of Jacobians of hyper- 
elliptic curves of genus 2. More precisely let stf be an absolutely simple, ordinary 
principally polarizable abelian surface. Let K be its quartic CM-field, and let Kq be 
its real quadratic subfield, and let O be the order in K isomorphic to End(^/). Let 
3A(P) < 0(0) be the image of the natural projection of the Shimura class group 
£(0) on the ideal class group Cl (O). As explained in Section 1^.3.21 the orbit 
of the CM-action of &*(0) on is a set of F q -isomorphism classes of principally 
polarizable abelian surfaces isogenous to srf and with same endomorphism ring O. 
This orbit contains all such isomorphism classes when the CM-action is transitive, 
for instance when O has maximal real multiplication (i.e., Ok 0 C O). Let dK be 
the discriminant of K. Applying Theorem 11.11 allows to construct isogeny graphs 
on that are expanders, and where all the isogenies are cyclic, with prime de¬ 

grees bounded by O (([C1(C>) : £A(0)\ lndx) 2+e ). When K is a primitive CM-field, 
the index [C1(0) : FA(0)] is the narrow class number of O fl Kq. 

This result is used for two major applications, concerning the discrete logarithm 
problem in genus 2 and the computation of explicit isogenies between two isogenous 
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principally polarized ordinary abelian surfaces. Aside from this, we remove certain 
heuristics from the complexity analysis of Galbraith’s algorithm for elliptic curves. 

1.3.1. Random self-reducibility of the discrete logarithm problem in genus 2. We 
use the rapid mixing properties of isogeny graphs to prove that the discrete loga¬ 
rithm problem in genus 2 is random self-reducible in isogeny subclasses of ordinary 
Jacobians of genus 2 curves over a finite field, thus extending the similar result for 
elliptic curves proved in [JMV091 Th. 1.6]. 

Theorem 1.3 (Random sclf-reducibility in genus 2). Let K be a primitive quartic 
CM-field, Kq its maximal real subfield, and O an order in K . Let ^ be a Jacobian 
defined over F 9 of endomorphism ring isomorphic to O. Let V be the set of all 
F q -isomorphism classes of Jacobians defined over ~F q , isomorphic to ^ and with 
endomorphism ring isomorphic to O. Let G be a subgroup of (F g ) of order Q. 
Suppose that 

(1) there is a polynomial time (in log q) algorithm A that solves the DLP for a 
positive proportion p > 0 of the Jacobians in V, 

(2) O fl Kq is the ring of integers of Kq, and [O : Z[ir , if]] is coprime to 2 Q. 
Then, assuming the Generalized Riemann Hypothesis, there is an absolute polyno¬ 
mial P in three variables such that the DLP can be solved on G by a probabilistic 
algorithm of expected runtime Pfiogq, Rq o , Disc(Ao))//r , where Kq o is the narrow 
class number of the order Oq = Of I Kq . 

Remark 1. In most practical applications, since the CM method is currently the 
only viable method to generate cryptographic parameters, both the narrow class 
number h@ o and the discriminant Disc(A'o) are small (constant or at most polyno¬ 
mial in logg), and the above algorithm yields a polynomial (in logg) reduction and 
thus, justifies the common cryptographic belief that the security of these curves is 
governed only by the characteristic polynomial of Frobenius. 

Remark 2. The conditions that OHKq is the ring of integers of Kq, and [O : Z[i r, if]] 
is coprime to 2 Q appear because they are required by the only currently known 
algorithm [DJR14 i, lDud!6l to compute cyclic isogenies in genus 2. 

1.3.2. Explicit isogenies in genus 2. In IGal99l . Galbraith considers the problem of 
computing an explicit isogeny between two isogenous ordinary elliptic curves £i and 
£2 over F g . His approach is based on considering isogeny graphs and growing trees 
rooted at both Ei and £2 of small-degree computable isogenies until a collision is 
found. Galbraith’s original algorithm is proven to finish in probabilistic polynomial 
time (in logq), finding a path of length O(lnhx) from £1 to £ 2 , under GRH and 
a heuristic assumption claiming that the distribution of the new random points 
found in the process of growing the trees is close to uniform. In Section [5] we use 
the expander properties of isogeny graphs to construct and analyze an algorithm 
similar to the one from IGal99l . This new algorithm improves upon Galbraith’s in 
two ways. Firstly, its analysis relies only on GRH, without any additional heuristics. 
Secondly, it works in a generalized framework which, in particular, encompasses the 
case of elliptic curves, and of Jacobians of genus 2 hyperelliptic curves. 

1.4. Organization of the paper. Section[2]contains the necessary background on 
abelian varieties with complex multiplication, polarizations, and canonical lifting, 
and uses this theory to build the bridge between isogeny graphs and some Cayley 
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graphs. In Section [3] we prove Theorem 11.21 and use it to prove Theorem 11.11 
In Section 01 we discuss the consequences of these results on isogeny graphs of 
principally polarized abelian surfaces over finite fields and deduce Theorem 11.31 
the random self-reducibility. Finally, we present the generalization of Galbraith’s 
algorithm as well as the new complexity analysis in Section [5] 


2. Isogeny graphs of ordinary abelian varieties 

In this section, we describe the relation between our graphs of interest - graphs 
of horizontal isogenies between ordinary abelian varieties over finite fields - and 
class groups of certain number fields, or subgroups thereof. 

2.1. Isogeny graphs over finite fields. Let /// be an absolutely simple, ordinary 

abelian variety of dimension g over a finite field F g . Its endomorphism algebra 
K = ® Q is a CM-field, that is a totally imaginary quadratic extension of 

a totally real number field Kq. The field Kq is of degree g over Q. The Frobenius 
polynomial is the characteristic polynomial of the Frobenius endomorphism 7r acting 
on the f-adic Tate module for i different from the characteristic of F 9 . This 
endomorphism generates the field K = Q(7r), and a theorem due to Tate |Tat66j 
states that two abelian varieties defined over F 9 are isogenous if and only if they 
have the same Frobenius polynomial. This element 7r seen in Q is a g-Weil number, 
and it uniquely determines the isogeny class of simple abelian varieties over F g 
with Frobenius 7r [StrlOl Lemma IV.2.2]. The endomorphism ring of stf is an order 
O = End(^V) in the CM-field K. We are interested in horizontal isogeny graphs, 
i.e., graphs whose vertices are abelian varieties with the same endomorphism ring 
O and whose edges are labelled by certain isogenies between these varieties. 

The abelian varieties arising in cryptography are constructed as Jacobians of 
some hyperelliptic curves (usually of genus 1 or 2), and are therefore principally 
polarized. The case of elliptic curves is well understood and the literature on their 
isogeny graphs is already extensive. The present work aims at generalizing some of 
that literature, dealing with horizontal isogeny graphs, to other families of abelian 
varieties. We put a particular focus on principally polarized abelian surfaces, where 
these new results combined with the algorithm of IDJR141 IDudlfii give rise to some 
interesting applications, yet the framework we develop is much more general. 

2.2. Class groups of orders. Class groups of orders in number fields are closely 
related to horizontal isogeny graphs, via the theory of complex multiplication, as 
will be recalled in Section 12.31 In this subsection, we fix the notations and recall 
some useful results on class groups. 

Let I\ be a number field. Then, J?{K) denotes the group of fractional ideals of 
Ok- Fix a modulus m, that is a formal product of primes in K , finite or infinite. 
The finite part is an ideal mo in Ok, and the infinite part is a subset moo of the 
real embeddings of K. Let .y m (K) be the subgroup generated by ideals coprime to 
mo. Let Pk i be the subgroup of y m (K) generated by principal ideals of the form 
q.Ok where ord p (a — 1) > ordp(rrio) for all primes p dividing mo, and i(a) > 0 for 
all i £ moo- The ray class group of K modulo m is the quotient group Cl m (/i) = 
y m {K)/P^ 1 . The narrow ray class group modulo the ideal mo is Cl m (/f) when 
moo contains all the real embeddings. 
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Example 1. The subgroup P®* is generated by all the principal ideals, so Cl q k {K) 
is the usual ideal class group 01(741). Also, the narrow ray class group modulo Ok 
is exactly the narrow class group C1 + (A'). 

Let O be an order in K. The conductor of O, defined as f = {a; € K \ xOk C O}, 
is an invariant of the order. It is the largest subset of K that is simultaneously an 
ideal in O and in the maximal order Ok- An ideal in O is invertible if and only if it 
is coprime to the conductor f. Let J^{0) denote the group of invertible ideals of O, 
and P(O) the subgroup generated by principal ideals. The class group of O is the 
quotient C1(0) = ^(O)/P{0). It can also be expressed as a quotient of 
as follows. Let P^ K 0 be the subgroup of (K) generated by principal ideals cxOk 
where a £ O and aO + f = O. From 1.1)15 Th. 3.8] and 1 .1)13. Th. 3.11], the map 
sending any integral ideal o of Ok to the ideal a fl O of O extends to a surjection 
J^(7i) 01(0) with kernel P^ K 0 . Therefore, it induces an isomorphism 

Cl(O) = A(K)/Plo- 

From 1.1)15 Th. 4.2], there is a unique abelian extension H{0) of K, the ring 
class field of O , such that all primes of K ramified in 77(0) divide f, and the kernel 
of the Artin map 

Ph { o)/k ■■ «*f(*Q Gal(77(0)/7t) 

is Pkq- This map then induces an isomorphism 0(0) = Gal(77(0)/7i). Simi¬ 
larly, there is a unique abelian extension 77 + (0), the narrow ring class field of 0, 
ramified only at primes dividing f and at infinite primes, such that Gal(77 + (0)/A") 
is isomorphic to the narrow class group Cl + (0), through the Artin map. 

2.3. Abelian varieties over C with CM. A key tool for studying isogeny graphs 
is the theory of complex multiplication (henceforth, CM theory) The main reference 
for this section is |ST6l| . Let srfc = C 9 /A be an abelian variety of dimension g 
over C, where A is a lattice, that has complex multiplication by a CM-field I\ and 
let 7\ 0 be the real subfield of I\ of degree g. 

2.3.1. CM-types. The field K has 2 g embeddings in C which we denote (pi ,..., ip 2 g - 
An endomorphism of s^c, yields an endomorphism of C 9 and of A. We get an 
analytic representation p a : End(^/c) —> Endc(C 9 ) and a rational representation 
p r : End^c) —> Endz(A). We have p r ® C ~ p a © p a and at the same time, 
p r ® C ~ pi © • ■ ■ © tp 2 g- It follows that, up to some reindexing, p a = ® ■ • ■ © ip g 

where ipi, ..., <p g are not pairwise conjugate. We call (Tv; {pi, ..., ip g }) the CM- 
type of ■ The abelian variety &/c is simple if and only if its CM-type is primitive , 
which means that (A"; $) is not a lift of a CM-type on a CM-subfield of K [ST611 
§8.2], 

Remark 3. If g = 2, the abelian surface srfc is simple if and only if the field K is 
a primitive CM-field, i.e., K does not have any proper CM-subfield. This follows 
from [StrlOl Lemma 1.3.4]. 

Fix a CM-type $ = {<pi, ■ - ■, <p g } for K. Any abelian variety over C of CM- 
type (7\;<I>) is isomorphic to C 2 /$(m) for some full-rank lattice m in 77, where 
$: K —> C 9 is given byn-> (ip ± (x),..., <p g (x)). Let O be the order of I\ isomorphic 
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to the endomorphism ring of the variety. Then, the lattice m is an 0-submodule of 
K , and 0 coincides with the order 0(m) associated to the lattice, 

0(m) = {a £ K | am C m}. 

Given an ideal a in 0, the variety C 2 /$(a _1 m) is isogenous to C 2 /4>(m), and its 
endomorphism ring is also 0. This isogenous variety is actually isomorphic if and 
only if o is principal. In fact, this construction induces a free action of the ideal 
class group 0(0) on the set of isomorphism classes of abelian varieties of CM-type 
(A'; $) with endomorphism ring 0. 

2.3.2. Polarizations and the Shimura class group. A polarization on an abelian 
variety X over a field k is an ample line bundle Cx on X. Associated to such Cx 
is the polarization isogeny : X —> X v , where X v is the dual of X. A principal 
polarization is an ample line bundle of degree one (equivalently, the polarization 
isogeny is an isomorphism). 

Example 2. If is a simple abelian surface, £/<□ is principally polarizable if and 
only if it is the Jacobian of a genus 2 curve (see |Mil06l Prop. 3.13] and 1DM021 
Th. 4.1]). 

In the remainder of this paragraph, we shall restrict to simple abelian vari¬ 
eties, or equivalently, to primitive CM-types (AT;<&). If X = sic, a simple com¬ 
plex abelian variety with CM by an order 0 in K , the theory of Taniyama and 
Shimura [ST611 §14] which we now briefly recall provides an explicit description 
of the polarizations on X in terms of the arithmetic of AT. Indeed, by the the¬ 
ory of complex multiplication, there exists a full-rank lattice m in AT such that 
X(C) = C 2 /4>(m). The dual abelian variety of C 9 /$(m) is C 9 /<I>(m*) where 
m* = {j3 £ K: Tr^/q(/3m) £ Z}. A polarization £ on C £ '/4>(m) induces an isogeny 
ipc : C s /$(m) —> C s /$(m*) that is given by x ha p a (0 x f° r some purely imaginary 
element £ £ AT that satisfies $(£) £ (iR >0 ) 2 . The polarization is also described 
by the Riemann form E{x,y) = Tr^/q(£a ~y). The polarization is principal if and 
only if yi£($(m)) = 4>(m*), i.e., if and only if = m*. Thus, the CM-type ( K ; $) 
being fixed, the principally polarized abelian variety (^c, £) is determined by the 
pair (m, £). The Shimura class group of O , acts on such pairs. It is defined as 

£(£>) = {(a, a) | a £ ^(O) and cm = aO, a £ A' 0 totally positive}/ ~ 

with componentwise multiplication, where two pairs (a, a) and (b, /3) are equivalent 
for the relation ~ if there exists an element u £ AT x such that b = «a and /3 = uua. 
For any (a, a) £ <£(0) (up to equivalence), the pair (a -1 m, a£) corresponds to a 
principally polarized abelian variety isogenous to stfc and with same endomorphism 
ring O (up to isomorphism). This action of £(0) is in fact free on the set of 
isomorphism classes of principally polarized abelian varieties isogenous to stfc with 
same endomorphism ring IST611 §17]. The structure of C(0) and its relation to 
0(0) is described by the exact sequence 

1 _> ( O 0 x )+/N K/K0 (O*) €(0) 0(0) Cl + (0o), 

where 0o = 0 fl AT 0 , (0 q ) + is its subgroup of totally positive units, and Cl + (0o) 
its narrow class group. The image of the projection CT(0) —> 0(0), denoted ^(0), 
is a subgroup of 0(0) that acts freely on the set of principally polarizable abelian 
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varieties isogenous to sic with endomorphism ring O. Notice the crucial distinc¬ 
tion between polarized and polarizable. The amount of information lost with the 
polarization is encoded in the group (Oq ) + /N k / Ko (O x ). For a maximal orders in 
quartic CM-fields, this group is either trivial, in which case £(0) and £P(0) are 
isomorphic and no information is lost, or it is of order two, in which case the abelian 
surfaces encoded in &(0) each have two possible polarizations. From the exactness 
of the sequence, the subgroup &{0) is also the kernel of N K / Ko . The following 
lemma allows to extend the result of 11(11.1 1 Th. 3.1] to higher dimensions, and 
non-maximal orders. 

Lemma 2.1. Let K be a CM-field and Kq its maximal real subfield. Let O be an 
order in K of conductor f, and Oq = O fl Kq. The index of the image of 01(0) 
through the norm map Nk/k 0 '■ Cl(O) —> Cl + (Oo) is of index at most 2 in Cl + (Oo). 
If there is a prime in Kq that ramifies in K and does not divide f, the norm map 
N k /k 0 is surjective. 

Proof. We use the elements of class field theory recalled in Section 12.21 Let H = 
H(0) and H + = H + (Oq). The compositum KH + is a subfield of H , so we have a 
natural surjection Gal(H/K) —> Gal(KH + /K). From Galois theory, Gal(A'A + /A') 
is isomorphic to Gal(H + / (K fl H + )), which in turn is isomorphic to the quotient 
Gal(H+/K 0 )/ Gal((AT n H+)/K 0 ). Let N = Gal((A' n H+)/K 0 ). Then, 

xp : Ga\(H/K) —> Ga\(H + /K 0 )/N : a \—> a \ H + mod N, 

is the composition of these canonical maps, and is therefore is a surjection. Through 
the Artin map, the norm N k / Kq commutes with r ip. We conclude that the image of 
C1(0) through N k / Kq is a subgroup of Cl + (0o) of index at most |iVj < 2. If there 
is a prime in Kq that ramifies in AT and does not divide f, then K D H + = Kq, so 
|iVj = 1 and the map N k / Kq is surjective. □ 

In particular, this lemma implies that the index [C1(0) : LP(0)\ is either the 
narrow class number Kq = | Cl + ((Do)|, or / 2. It is exactly h^ o whenever there 
is a prime in the field Kq that ramifies in K and does not divide f. As observed 
in [ IBGL111 Th. 3.1], there exists such a prime when O is the maximal order in a 
primitive quartic CM-field. 

2.4. Canonical lifting. Recall that our objects of primary interest are varieties 
defined over a finite field F g . The theory of canonical lifting of Serre and Tate [ST68] 
allows us to lift an ordinary abelian variety /F g to an abelian variety stf over 
W(F q ), the ring of Witt vectors of F g in such a way that all endomorphisms of srf 
lift to endomorphisms of srf, and srf i —> s# is functorial. To obtain lifts from abelian 
varieties over F 9 to abelian varieties over C, we fix an embedding i: W(F q ) s- C 
and let &/c be the complex abelian variety si C. If T(si) = Hi(s/c , Z) then 
T(si) is a free Z-module of rank 2 • dim(j 2 /). The correspondence si i —> T(si) is 
functorial and any isogeny ip: si —> S8 over F g gives rise to a short exact sequence 

0 —► T(si) T{3§) —> ker(<p) —> 0. 

A theorem of Deligne |Del691 Th.7] says that if 7r is the Frobenius endomorphism 
of si over F 9 then the functor si i —> (T(si),T( it)) is an equivalence of categories 
between the category of ordinary abelian varieties over F 9 and the category of free 
Z-modules T endowed with an endomorphism F satisfying 
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(1) F is semi-simple, with eigenvalues of complex absolute value yfq, 

(2) At least half the roots in Q p of the characteristic polynomial of F are p-adic 
units, 

(3) There is an endomorphism V of T such that FV = q. 

As discussed in [Del691 §8], any such (T, F) that is the image of a variety si through 
this functor determines the complex abelian variety sic up to isomorphism as si, c — 
(T®R)/T (with a complex structure on T(g>R such that F is C-linear; the existence 
and uniqueness of the appropriate complex structure is established by a theorem of 
Serre [Ml §8]). This means that up to isomorphism, we can write sic = C 9 /A, 
for a lattice A in C 2 and since lifting preserves the endomorphism ring O = End(^), 
we even have sic = C 9 /$(m) for some full-rank lattice m in K with order 0{ m) = 
O, where, as above, the map $: K —> C 9 is the CM-type of sic ■ From the canonical 
identification between >f>(m) and Hi(sic,Z) (see 111,1) 1. §1.1]), the functor can be 
interpreted as si K► (d>(m), p r (Tr)). This establishes a functorial map from the 
abelian varieties over F g of fixed endomorphism ring O to the complex abelian 
varieties C 9 /<f>(m) where m are lattices in K with order O(m) = O. Conversely, 
Deligne’s theorem shows that any such C 9 /<f>(m) is the lift of an abelian variety over 
F 9 with endomorphism ring O: the variety corresponding to the pair (<F(m), p r (n)), 
where p r {^) is the rational representation of 7r. Moreover, from |Del691 §3], the 
polarizations also lift properly, and in particular si is principally polarizable if and 
only if sic is. 

2.5. Horizontal isogeny graphs as Cayley graphs. Let 7r be a g-Weil number, 
and let K = Q(7t) be the corresponding CM-field,with Kq its maximal real subfield. 
Fix an order O in K, and let be the set of all F 9 -isomorphism classes of 

abelian varieties defined over F 9 with endomorphism ring O in the isogeny class 
characterised by n. Recall that the class group C1(G) acts freely on V n ,o- One can 
choose any reference variety si in Vjr t o and any subgroup H in Cl (O), and consider 
the orbit H(si). 

Combining the results of Deligne discussed in Section 12.41 with the theory of 
complex multiplication, there is an equivalence of categories between the category 
of objects H(si) and morphisms the isogenies between them, and the category 
whose objects are the ideal classes in the subgroup H , and the sets of morphisms 
from a € H to b £ H are the ideals of O in the class a~ 1 b. The degree of an isogeny 
equals the norm of the corresponding ideal. Restricting the morphisms to a finite 
set of generators, the latter category can be seen as a Cayley (multi)graph. 

Definition 2.2 (Cayley graph). Let G be a finite group and 5 a generating subset 
of G, with S = S^ 1 . The Cayley graph Cay(G, S) is the finite 15'1-regular undirected 
graph with set of vertices G, and an edge between g and sg for any g £ G and s G 5. 

Remark 4. The edges of Cay(G, 5) can have multiplicities if 5 is a multiset. If S 
is a set of labels and / : S —» 5 is a surjection, then / naturally induces a Cayley 
multigraph for the set of generators 5 whose edges are labelled by elements of S. 

Let 5 be a set of ideals of G, and 5 its image in Cl k, with / : S —> S the induced 
surjection. Let Cay (H, S Cl H) be the induced labelled multigraph. Let T be the 
set of all isogenies between elements of H(si) corresponding to the ideals of S. 
We build the graph <£$ with set of vertices H (si) by adding an edge between the 
vertices & and If for any isogeny SB —> f in T. Then, the equivalence of categories 
induces an isomorphism between the graphs Us and Cay (H, S D H). 
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Example 3. If jz/ is a principally polarizable abelian variety and H = &(0), the 
orbit H(£/) (in this case also denoted &(#/)) is a set of isomorphism classes of 
principally polarizable abelian varieties isogenous to and with same endomor¬ 
phism ring. Via the construction described above, any choice of a generating set 
of &P(p) yields a graph of the set of vertices ^(jV). From [ Wat69i Theorem 5.3] 
together with (Blal4l Theorem 4.5], the action of C1(G) is transitive on the set of 
all abelian varieties isogenous to and with same endomorphism ring whenever 
jV has maximal real multiplication (i.e., Ok 0 C O). We can conclude via |ST611 
§17] that when jV has maximal real multiplication, the orbit ^(jz/) is exactly the 
set of all isomorphism classes of principally polarizable abelian varieties isogenous 
to jV and with same endomorphism ring. 


3. Expander graphs and ray class groups 

In this section, we prove Theorem 11.21 and investigate its consequences on the 
structure of the Cayley graphs of interest. 


3.1. Eigenvalues and Cayley graphs. Let V be an undirected (multi)graph with 
set of vertices V and set of edges £. Suppose is finite and fc-regular, i.e., each 
vertex has fc incident edges. The adjacency operator A of iS is the operator defined 
for any function / from V to C by 

AfO) = /(y)’ 

yeMt(x) 

for any x € V, where A f&(x) denotes the (multi)set of neighbors of x in Sf. This 
operator is represented by the adjacency matrix of with respect to the basis 
{1{ X } : x € V}, where Is denotes the characteristic function of a set S. It is a 
real symmetric matrix, so by the spectral theorem, A has n = |V| real eigenvalues 
Ai > A 2 > ... > A n . Since the graph is fc-regular, the constant function ly : x 1 —> 1 
is an eigenvector with eigenvalue k. We call k the trivial eigenvalue , and denote it 
by Atriv- This Atriv is the largest eigenvalue in absolute value, i.e., Ai = k, and its 
multiplicity is the number of connected components of Sf. 

Definition 3.1 (Expander graph). Let S > 0. The fc-regular graphs is (one-sided) 
8-expander if A 2 < (1 — 8) Atriv- It is a two-sided 8-expander if the stronger bound 
|A 2 1 < (1 — 5)Atriv holds. 


Observe that such a graph is connected whenever 8 > 0. The main reason for our 
interest in expander graphs is that they rapidly mix random walks. The following 
lemma is a classical result on expander graphs and can be found in, e.g., |IJMV09j . 


Lemma 3.2. Let & be a finite k-regular graph for which the non-trivial eigenvalues 

A of the adjacency operator A satisfy the bound |A| < c, for some c < k. Let S be a 

subset of the vertices of Sf, and v a vertex of Sf. Any random walk from v of length 

ln(2|^’|/|5'| 1 / 2 ) 1 |Sj 3 151 

at least --— ,, , , - will end in S with probability between - 7 -rr and -y-rr. 

ln(fc/c) F y 2 |Sf| 2 |Sf| 


For any finite group G with generating set S, observe that a character y : G 
is an eigenvector for the adjacency operator A on Cay(G, S). Indeed, 


C* 


Ax{x) = ^2 a :( sx ) = 


'x(s)y(az) = X x x(x), where A x = V x (s). 
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If G is abelian, these characters form a basis of the C-vector space of functions 
of G. In particular, any eigenvalue is of the form A x for some character y. The 
trivial eigenvalue corresponds to the trivial character 1q- 


3.2. Proof of Theorem 11.21 Since G is abelian, any character y of H can be 
extended to a character of G. Take any such extension and, by abuse of notation, 
also denote it by y. Note that for any ideal 1 of Ok coprime to m, we have 


E 

9&G/H 


[G : H] if [1] G H , 
0 otherwise, 


where G/H = Hom(C?/ff, C*) is the character group of the quotient G/H. There¬ 
fore this sum can be used to filter the condition that [1] G H, and we can rewrite 


A*= E X([Q = 


1 


1 


[G ■ H] 


E x([(D E 


i.NKB prime 
(I,m) = l 


e&G/H 


[G:H] 


E E xiimm)- 

aczr<Tw l-NKB prime 
eGG/H (I,m)=l 


We are then left with estimating a character sum y([[])0([[]U). Each of the 
summands of the latter defines a multiplicative function 


"xfi ■■ ^n(A') —> C* : [ —► xiimm) 

where is the group of fractional ideals of K coprime to m. It extends to a 

function of the group of all the fractional ideals of K, by setting v x ,e{i) = 0 

for all prime divisors 1 of m. The expression of A x becomes 

(3.1) A ' = iGTm £ £ -YoP). 

QSLgJh prime 

From the classical estimate that can be found in pK04l Th.5.15], we have 

E A(a)v Xi e(a) = S(v x j)B + O ^ nB ln(B) ln(I?d/ < -Nm)^ , 
a:Na<B 

where A is the von Mangoldt function (i.e., A(a) is In Nl if a is a power of a prime 
ideal I, and 0 otherwise), and S(i/ Xt g) is 1 if v X} g is principal, and 0 otherwise (a 
principal character is a character that only takes the values 1 or 0). Observe that 
if v Xi g is principal, then y must be the trivial character, so that 6(i/ Xt g) = S(x)S(6). 
Indeed, suppose that u x g is principal, and let [l] G H , for a prime 1 coprime to m. 
Then, 

i = ^(o = xamm)=xmwa/H) = xm, 

so y must be the trivial character of H. 

We now want to replace each instance of A(a) in the above sum by P( a), where 


P( a) = 


lnA^n if Na is prime, 
0 otherwise. 
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To do so, it is sufficient to prove that 

(3.2) Y A ( a )^x,e( a ) ~ Y P{a)v x ,e{a) = O (nB 1/2 y 

a:Na<B a:Na<B 

The non-zero terms (A(a) — P(a))i/ X j(a) correspond to ideals a which are powers 
of a prime ideal 1, and IV a = Nl k is not a prime number - but it is a power of a 
prime i. Since K is of degree n, there are at most n different prime ideals l above 
any given prime number t. Therefore the difference m is bounded in absolute 
value by 

n "Yj ln^ = Y2 "Y/ —— = mr^B 1 / 2 ) In B 1 

&<B i<B 1/2 iKB 1 / 2 

k > 2 2 

which, by the Prime Number Theorem, is 0(nB 1 / 2 ). Therefore, 

Y2 P( a ) u x ,o( a ) = &{v x ,e)B + O (nB 1 / 2 ln(B) hi(BdKNm)^ . 

a:Na<B 

Applying the Abel partial summation formula, we derive that 

Yj v x,e(^) = + O (fT-B 1/2 ln(BdjcAim)j , 

l:Nl<B prime 

where li denotes the logarithmic integral. Replacing this into the expression (EH) 
of A x , we finally obtain 

A x = p^hli(B) + O (nB 1 ' 2 HBd K Nm )) , 

which proves the theorem. □ 

3.3. Spectral gaps for subgroups of ideal class groups. Let I\ be any number 
field of degree n, 0 an order of conductor f in K , and H any subgroup of 0(0). 
Let B > 0, m an integral ideal of Ok, and define the following set of ideals of Ok, 

Sb = {1 | Nl < B is prime, (l, fm) = 1, and [l fl O] G H}, 

where [In O] is the class in 0(0). Let Sb be the multiset of its image in the class 
group. Using Theorem 11.21 one can bound the spectral gap of Sfg = Cay (H, Sb)- 

Theorem 3.3. For any character x of H,the corresponding eigenvalue of^B is 
K = [off + °( nBl/2 HBd K N(fm))), 

where <5(y) if 1 if \ is trivial, and 0 otherwise. 

Proof. Using the notations from Section 12221 the group P£- 1 is a subgroup of P^ a , 
so there is a natural surjection Clf(iv) —>■ 0(0). Furthermore, the canonical injec¬ 
tion of in J?f(K) induces a surjection from Clf m (A') to Clf(iV). Therefore 

we have a natural surjection tt : Clf m (iv) —»• 0(0), which sends the class of any 
integral ideal o of Ok to the class of afl 0. Consider the subgroup H = 7 r _1 (TL) 
of Clj m (iv), and its Cayley graph b = Cay (H,T^ ^ m (B)) where T g. ^ m (B) is the 
multiset defined in the statement of Theorem ll.2l The Cayley graph on H is the 
image of the Cayley graph Sfg on H via the projection 7r, taking into account the 
multiplicity of the edges. The eigenvalues of Sfg are exactly the eigenvalues Xe of % 
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corresponding to characters 9 of H that are trivial on the kernel of 7r|^ : H —> H. 
The result follows by applying Theorem 11.21 on Sfg. □ 


Corollary 3.4. For any 0 < <5 < 1 and e > 0, there is a function 
Bs,e(H, m) = O ((n[Cl(0) : H] ln(d*7V(fm))) 2+£ ) , 
such that 'SB 5e (H,m) is a two-sided 5-expander. 


Proof. Let x > 0, and write k = [0(0) : H], The graph ^S x is a two-sided 5- 
expander if |A X | < (1 — d) Atriv for any non-trivial character From Theorem 13.31 
and the fact that li(cc) ~ x/\n(x) and li(x) > x/\n{x) for any x > 4, there are 
absolute constants C and D such that for any x > C, we have 

^triv ^ In (x^k — Dnx 1 / 2 ln(a:dicA^(fm)), 

and |A| < Dnx 1 / 2 ln(xdxlV(fm)). So 

Atriv > _ 2a; 1 / 2 _ ^ 

|A| In 2 (x)Dkn(\n(dK N (fm)) + 1) 

We have that x 1 A 2+< 0 = 0(x 1 ^ 2 / In 2 (x)) for any e > 0, so considering larger con¬ 
stants C and D if necessary, we have the inequality 

Atriv > 2s 1 /( 2 + e > _ 

|A| — Dfcn(ln(d/flV(fm)) + 1) 


The constants C and D are not absolute anymore but they only depend on e. Let 


Bs, e (H, m) = max 




(Dkn(ln(dK N (fm)) + 1) 



Then, for x = Bs tE (H, m), we have so cg x j s ^-expander. 


□ 


3.4. Proof of Theorem ll.il Theorem ll.ll is now an easy combination of the graph 
isomorphism expounded in Section ^. 51 together with Corollarv l3.4l establishing that 
these graphs are expanders, and Lemma 13.21 on random walks on such graphs. 


4. Random walks on isogeny graphs of Jacobians in genus 2 

Throughout this section, we will restrict to ordinary abelian surfaces that are 
Jacobians of genus 2 hyperelliptic curves over a finite field F g . Let = Jac(^) 
be such a Jacobian with endomorphism algebra K and whose endomorphism ring 
is isomorphic to an order O in K. Let (Do = O D Kq where Kq is the real subfield 
of K. Let £/ be the isomorphism class of as an abelian variety. 

Consider the orbit of the action of £P(0) on &/. The choice of any set 

of ideals generating &(0) yields an isogeny graph on the set of vertices as 

described in Example [3] Now, Theorem 11.11 provides generating sets S with very 
convenient properties: (i) the corresponding isogeny graph rapidly mixes random 
walks, and (ii) every edge is an isogeny of small prime degree. In fact, all the 
occuring isogenies are computable in polynomial time by a recent algorithm of 
Dudeanu, Jetchev and Robert DJI! 1 1 ' Dudl6j (henceforth, the DJR algorithm). 
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4.1. Computing isogenies of small degree. More precisely, the DJR algorithm 
allows to compute any isogeny from ^, defined over F 9 and of odd prime degree 
t (i.e., given a generator of the kernel, it finds an equation of a hyperelliptic curve 
*€' such that the target Jacobian is isomorphic to Jac( < ^’')) under the following 
conditions: 

(1) ^ has maximal real multiplication, i.e., Oq is the maximal order of K 0 , 

(2) the index [O : Z[n, if]] is prime to 2 £, and 

(3) there exists a totally positive element /? G Oq of norm t which annihilates 
the kernel of the isogeny (the isogeny is called /3-cyclic , and the polarisation 
computed on the target curve depends on the choice of this /3). 

The cost of the algorithm is 0{£ 2 ) operations in F q , assuming some precomputations 
of polynomial time in logg and £ (see |Dudl61 Th. 4.8.2]). 

Observe that Condition 0 exactly means that the isogeny corresponds to an 
ideal in the kernel ^(O) of the map N k / Kq : C1(0) —> Cl + (Oo). Therefore this 
condition is, by construction, satisfied by all the isogenies of the graph. Also, we can 
choose the generating set S so that it does not contain any ideal of norm dividing 
the index [O : Z[7r, ff]], so the isogenies of the graph all satisfy Condition 0 if and 
only if [O : Z[7r,7f]] is odd. Therefore, the conditions 

(1) ^ has maximal real multiplication, and 

(2) the index [O : Z[7r,7f]] is prime to 2, 

are sufficient for constructing a graph whose edges can all be computed by the DJR 
algorithm. Before the work of Dudeanu, Jetchev and Robert, one was only able 
to compute (£, £)-isogenies [CRTf] that were not sufficient to obtain a connected 
graph. 

For the same computational cost, the DJR algorithm can compute the image of 
a point of order coprime to 2 q[0 : Z[7r, 7r]], given some additional precomputations 
of polynomial cost in Disc(A'o). 

4.2. Navigating in the graph with polarizations. The vertices of the graph 
represent principally polarizable (as opposed to polarized) abelian surfaces. As 
a consequence, two distinct Jacobians can represent the same vertex if they are 
isomorphic as abelian varieties, but have non-isomorphic polarizations. For compu¬ 
tations, it is important to be able to determine whether two vertices of the graph 
are distinct or not, and to this end, the way the vertices are represented is crucial. 

As explained in ICR111 and !DJR14I . it is possible to distinguish between iso¬ 
morphism classes of Jacobians as principally polarized abelian varieties by simply 
comparing the Rosenhain invariants^. The DJR algorithm computes these explic¬ 
itly for the target curve of an isogeny. Therefore, if {O^ o ) + /N K / Ko (0^-) is trivial, 
as discussed in Section [2. 3. 21 the map €(0) &(0) forgetting the polarization is 

an isomorphism so the vertices of the graph can simply be represented as Jacobians, 
or their Rosenhain invariants. 

But if (Ok o ) + /N k / Ko (Ok) is of order 2, more work is required. In this case, 
for any Jacobian ^i, there exists another Jacobian which is isomorphic as a 
non-polarized abelian variety (and thus represents the same vertex in the graph), 
but not as a principally polarized abelian variety. To solve this issue, one can 
simply represent the vertices of the graph as pairs of Jacobians, isomorphic as 

2 Since the varieties are absolutely simple, ordinary, and over Fq, two of them are Fq-isomorphic 
if and only if they are Fq-isomorphic (a consequence of IWat69i Th. 7.2]; see IBJW16] Rem. 3.3]). 
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abelian varieties, but with non-isomorphic polarizations. It is still possible to use 
the DJR algorithm to navigate in this graph. Indeed, let u £ (O^ 0 ) + be a generator 
of (O^ o ) + /N K / Ko {0^r). Starting from J?, given an appropriate kernel, the DJR 
algorithm chooses a /3 and computes the isogeny as a /3-isogeny, resulting in a target 
Jacobian If /3 is replaced by u/3, the DJR algorithm finds the Jacobian 
which is isomorphic to as an abelian variety, but with a different polarization. 
Therefore the representation of the vertex {J?i, ^ 2 } can be fully computed. 

A last point must be addressed: given a Jacobian ^ and a prime £, the DJR 
algorithm allows to find isogenies of degree l from that Jacobian, but it is unclear 
a priori which of these isogenies remain within the graph we constructed. Indeed, 
it could well be that some of these isogenies change the endomorphism order O. 
Luckily, this is not a concern if only primes t that cannot change the endomorphism 
order are picked. An isogeny over F g of degree t can change the order only if 
l divides the index [Ok '■ Z[ 7 r, 7 f]] (see ID W Hi Prop. 3.4]). Therefore, in the 
generating set S, we avoid the prime ideals dividing that index. 

4.3. Proof of Theorem II .31 Let IVcVbe the subset of all isomorphism classes 
for which the algorithm A solves the DLP. For any two polarised abelian varieties 
si and write si ~ SB if they are isomorphic as non-polarized abelian varieties. 
Recall that as discussed in Section EM if A can solve the DLP on one Jacobian 
^ £ W, then it can solve the DLP on the other Jacobians ~ . Let V = V/ ~ 

and W = W/ ~. Let 7 r be a g-Weil number characterising the fixed isogeny class. 
From Example [3] the set V is naturally in bijection with 0*(si), the orbit for the 
CM-action of £A(0). We can therefore apply Theorem 1 1.1 1 on the graph with set of 
vertices V induced by the set of invertible ideals in O , coprime to 2 [Ok '■ Z[ 7 r, ff]], 
of prime norm bounded by 

Be(0) = O (( h+ 0 ln(d K Nf[O K : Z[tt,tt]])) 2+£ ) = O ({h+ Q log q) 2+£ ) , 

where f is the conductor of O. Any path of length at least ln(2|1d|/|IF| 1 / 2 ) < 
ln( 2 /io) starting from any vertex will end in W with probability between /i /2 and 
3/x/2. So the strategy to solve DLP on £/ £ V is to build random paths from si in 
b of length ln( 2 ho) until one of them ends in W, which happens with probability 
higher than /i/ 2 , so after an expected number of independent trials smaller than 
2//i. The length of each path is polynomial in In (ho), and the degree of each isogeny 
on the path is bounded by B e (0). So the algorithm computes a polynomial (in 
log q) number of isogenies, and each of them can be computed in polynomial time 
(in log < 7 , Hq o and Disc(A" 0 )) by the DJR algorithm [DJR,14 . Dudl 6 :. 

5. Computing an explicit isogeny between two given Jacobians 

Let ‘if and be two hyperelliptic curves of genus 2, defined over the finite 
field F g . Let s/ = Jac(^) and SB = Jac^') be their Jacobians. These are prin¬ 
cipally polarized abelian varieties of dimension 2, so by Tate’s isogeny theorem 
lTat 66 j , si and 3$ are isogenous over F 9 if and only if their Frobenius polynomials 
are the same. We know how to compute the latter (see [Pil90j . or [GH001 for an 
efficient algorithm whose running time is 0 ((log q) 9 )), and thereby decide whether 
or not there is an isogeny si —► 3B defined over F q . Yet, once we know that si 
and 3B are isogenous, it is not clear how to explicitly compute an isogeny between 
them. In this section, the expander properties of horizontal isogeny graphs are used 
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to construct and analyse an algorithm similar to Galbraith’s algorithm |Gal99l to 
build an isogeny between two such varieties having the same endomorphism ring. 
The contribution of this new algorithm is two-fold. First, the analysis of Galbraith’s 
algorithm relies, in addition to GRH, on some heuristic assumptions on the growing 
rate of some trees built in the isogeny graph. Using expander properties of these 
graphs, our analysis relies solely on GRH. Second, while Galbraith’s algorithm con¬ 
structs isogenies between elliptic curves, we provide a more general framework for 
large families of horizontal isogeny graphs. Precisely, we require 

(1) An order O of conductor f in a CM-field K, and two isogenous abelian 
varieties and 38 over a finite field F g with endomorphism ring O' 

(2) A set S of ideals in O generating a subgroup H of the class group Cl (O), 
such that the orbits H(g/) and H{38) coincide; 

(3) The isogeny graph Sf induced by the action of H on H(sY) has the rapid 
mixing property, as described in Theorem ll.il 

(4) The isogenies corresponding to the edges of the graph can be computed in 
time bounded by some tn > 0. 

For elliptic curves, one can choose H = C1(0), and S the set of all ideals of 
prime norm bounded by a bound B = 0(log(cixlVf) 2+e ) = 0((log q) 2+e ). All these 
isogenies can be computed in time tn polynomial in log q , and Theorem 11.11 or 
even the less general results of I JMV05IIJMV09) , shows that Sf has the rapid mixing 
property. The smaller bound 0(\og(dK -/Vf) 2 ) was used in Galbraith’s approach; the 
induced graph is then connected, but is not an expander, therefore some additional 
heuristic assumptions were required for the analysis. 

For Jacobians of genus 2 curves, one can choose H = 38 {O ), and S to be a 
generating set of ideals of prime norms bounded by a bound B = O((h^ o log q ) 2+s ), 
where Oq = O fl K 0 . As seen in Section im the corresponding isogenies can then 
be computed using the DJR algorithm when Oq is maximal and [O : Z[7r, ff]] is odd. 

Write h = \H\. The idea is to find h 1 / 2 varieties “close” to s3 (in the sense that 
we know a path of polynomial length from these to sY), and then to build paths 
out of 38 until one of the neighbors of s3 is reached. In practice one could simply 
use the same tree-growing strategy as Galbraith [Gal99] . but the analysis of our 
algorithm requires the various random paths to be independent in order to use the 
expanding properties (and this independence misses in the “tree” approach). The 
algorithm goes as follows, presented in the most general setting. 

Step 1 Build independent random paths in 3? of length ln(2 h) from sY until h 1 / 2 
vertices are reached. Those are the neighbors of sY. 

Step 2 Build independent random paths of length ln(2 h) from 38 until a neighbor 
of sY is reached. There is now a short path between sY and 38. 

Now, let us prove that the number of paths considered at each step is on average 
0{h 1 / 2 ). Let Y be a subset of the vertices of Sf, smaller than 2/i/3. By a trial, we 
mean the computation of a random path of length ln(2/i) from of A, and a trial is a 
success if the path ends out of Y. Let us estimate the number Ny of independent 
trials we need to obtain a success, 


OO 

E[iVy] = ^ i Pr[z — 1 failures and 1 success 

2=1 



2-1 
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and from the generating function (1— x) 2 = we obtain the inequality 

e|JVf] < A _ w 2 ih2 


2ft 


(2h — 3|y|) 2 ' 


Now consider the experiment consisting in a sequence of independent trials, and let 
Y n be the first n distinct points obtained from the first experiments. The number 
M n of trials required to find n distinct points can be estimated as 

n —1 n— 1 


E[M n ] = 5>[JVy 4 ]<£ 


4ft 2 


< 


4 nh- 


i -1 


^ (2ft - 3i) 2 “ (2ft - 3 n ) 2 ' 


In particular, to find ft 1 / 2 neighbors of sY , the expected number of trials E,[M h i/ 2 \ 
is at most 4ft, 1 / 2 , assuming that ft is at least 9. Of course, in practice, we expect 
to need much less trials since we count here only the end point of each path. This 
proves that the expected number of paths we have to compute in Step 1 is O (ft 1 / 2 ) • 
The expected number of paths considered in Step 2 can be found to be O (ft 1 / 2 ) 
in a similar fashion. In total, we build O (ft 1 / 2 ) paths of length O(lnft). So the 
algorithm needs to compute O (ft, 1 / 2 In ft) isogenies, each of them being computable 
in time in, and finds a path of length O(lnft) between s/ and 3$. 
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